WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Extended ASCII characters used for injection

From: "Onken, Skyler" <onk08001 () byui edu>
Date: Tue, 19 Oct 2010 13:56:23 +0000
Im not aware of any injection attacks directly. In the past I have been able to force information disclosure via 500 
error pages (file structure, other applications used, etc) by submitting sequences of characters like those you showed. 

Skyler Onken
CEH, ECSA, Security+
http://securityreliks.securegossip.com
________________________________________
From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf of Nibbler [enibbler () gmail com]
Sent: Tuesday, October 19, 2010 7:06 AM
To: webappsec () securityfocus com
Subject: Extended ASCII characters used for injection

Hi list,

I have a web app and I want to block special characters in URL on the
web server. Do you know if there is a risk of injection (XSS...) with
extended ASCII char (%7f-%ff)?
Is there any reason to block these characters?

Thanks
Regards,
Nib



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: